Malware spam: "Bank account record" leads to Locky

Did you forget to finish the Bank account record?
Read the attachment and let me know if there is anything I didn't make clear.

Yours sincerely,
Stephen Ford

57ad5eceb5e68fe97525ff408e9da2ecda5a97be6743bbe0fe

The sender will vary from email to email, but the "From" name is always consistent with the one in the email. Attacked is a ZIP file with a random hexadecimal number which in the sample I am looking at contains a malicious .wsf script starting with the words "account record" (sample here).

This dropped binary has a detection rate of 5/55 and is presumably Locky ransomware, but automated analysis is inconclusive [1][2].

The is also traffic to kassa.p0.ru which is more of a puzzle and doesn't look particularly malicious. I don't know if that is common to all scripts, but it might be worth looking out for in your traffic logs.